A critical-severity vulnerability that lingered in Redis for 13 years doubtlessly exposes 60,000 servers to exploitation, cybersecurity agency Wiz warns.
Redis is an open supply platform that shops information in reminiscence, primarily used as an utility cache or quick-response database, because it affords elevated speeds and efficiency.
By default, the official Redis container doesn’t require authentication, as cases needs to be deployed internally and never internet-accessible, however there are roughly 330,000 Redis servers uncovered to the online, and 60,000 of them haven’t any authentication.
“The mix of no authentication and publicity to the web is very harmful, permitting anybody to question the Redis occasion and, particularly, ship Lua scripts (that are enabled by default),” Wiz notes.
This exposes the servers to the exploitation of the newly found CVE-2025-49844 (CVSS rating of 10/10), named RediShell, a use-after-free problem that will enable authenticated attackers to execute arbitrary code remotely.
Underlining that roughly 75% of cloud environments depend on Redis, Wiz explains that an attacker might absolutely compromise a system by sending a malicious Lua script to set off the bug and escape the Lua sandbox to attain code execution.
The script would additionally deploy a reverse shell to ascertain persistent entry, permitting attackers to reap credentials and different delicate info, exfiltrate information, set up malware, transfer laterally utilizing the stolen delicate information, and escalate their privileges.
“Extra Redis cases are uncovered to inside networks the place authentication will not be prioritized, permitting any host within the native community to connect with the database server. An attacker with a foothold within the cloud setting might acquire entry to delicate information and exploit the vulnerability to run arbitrary code for lateral motion into delicate networks,” Wiz notes.Commercial. Scroll to proceed studying.
On October 3, Redis variations 7.22.2-12, 7.8.6-207, 7.4.6-272, 7.2.4-138, and 6.4.2-131 had been launched with patches for the vulnerability. Redis additionally rolled out OSS/CE variations 8.2.2, 8.0.4, 7.4.6, and seven.2.11, and Stack variations 7.4.0-v7 and seven.2.0-v19.
Based on Redis, which notes that the flaw might be exploited by manipulating the rubbish collector, cloud deployments have been robotically up to date to the brand new variations, however self-managed cases needs to be upgraded to the most recent releases as quickly as potential.
Redis additionally recommends limiting community entry to servers, imposing robust authentication strategies, guaranteeing protected-mode is enabled (in CE and OSS), and implementing minimal obligatory permissions for person accounts which have entry to the servers.
“Use firewalls and community insurance policies to restrict entry to trusted sources and stop unauthorized connectivity. […] Solely enable trusted identities to run Lua scripts or another doubtlessly dangerous instructions,” Redis notes.
There isn’t any proof that CVE-2025-49844 has been exploited within the wild. Unauthorized entry to the database, anomalous site visitors to the server, unknown use of scripting instructions, sudden crashes tracing to the Lua engine, and anomalous command execution or file system adjustments might point out potential compromise.
“RediShell (CVE-2025-49844) represents a vital safety vulnerability that impacts all Redis variations attributable to its root trigger within the underlying Lua interpreter. With a whole bunch of hundreds of uncovered cases worldwide, this vulnerability poses a major menace to organizations throughout all industries,” Wiz stated.
In an emailed remark, Tuskira co-founder and CEO Piyush Sharma underlined the dangers related to the exploitation of this vulnerability within the context of tens of hundreds of servers being accessible from the web with out authentication.
“This Lua-based use-after-free flaw reinforces the necessity for proactive publicity administration. Safety groups ought to establish misconfigured or outdated Redis builds via steady asset discovery and validate real-world exploitability utilizing protected simulations,” Sharma stated.
“To mitigate danger, disable Lua for untrusted customers, monitor Redis course of habits on the endpoint and community degree, and isolate uncovered nodes. Redis itself ought to undertake safer defaults and firewall protections to cut back public publicity,” he added.
Associated: Microsoft and Steam Take Motion as Unity Vulnerability Places Video games at Threat
Associated: Unauthenticated RCE Flaw Patched in DrayTek Routers
Associated: WireTap Assault Breaks Intel SGX Safety
Associated: OpenSSL Vulnerabilities Enable Non-public Key Restoration, Code Execution, DoS Assaults
